Jump to content


Photo

IE browser hijack - "BEST OF THE WEB"


  • This topic is locked This topic is locked
8 replies to this topic

#1 smitty-g

smitty-g

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 27 May 2004 - 10:32 AM

A co-worker's PC has been infested!!

When she starts IE she gets a fullscreen window with a "Best of the WEB" page. The IE window is gone?. There is no IE nav bar, menu bar or title bar. This page covers everything but the taskbar.

The page title in the taskbar button is "Get Fuzzy". The window can only be closed by right clicking the button in the task and selecting Close. Then (sometimes), IE will start normally. Sometimes the same thing happens.

We've run AdAware and Spybot S&D (Latest versions and latest updates). Also ran Hijack this and deleted all the unknown "R1" entries. Didn't see any odd BHOs, but who knows?

This "Best of the web" keeps coming back.

I've read the FAQ page, and followed the directions for removal using HJT. FYI - Internet Options are accessable.

Any help would be appreciated.

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 May 2004 - 10:56 AM

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log here for analysis.

Thank you.

#3 smitty-g

smitty-g

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 02 June 2004 - 12:32 PM

Per your request:

Logfile of HijackThis v1.97.7
Scan saved at 10:29:50 AM, on 6/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\PROGRA~1\Navnt\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.i--search.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.i--search.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.i--search.com/ie/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -s C:/WINNT/sys.reg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8103.5916087963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCE8A178-594B-4422-9798-EE5C2EC1ED74}: Domain = state.nv.us.
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCE8A178-594B-4422-9798-EE5C2EC1ED74}: NameServer = 10.131.11.24,10.131.11.25
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = state.nv.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = state.nv.us
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = state.nv.us


Sorry it took so long to get this back to you....

Thanks for the help!

Glen

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 02 June 2004 - 01:02 PM

How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.

Run HijackThis and delete the following if still present:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.i--search.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.i--search.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.i--search.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.i--search.com/ie/
O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -s C:/WINNT/sys.reg

Please reboot into safe mode - How do I boot into "Safe" mode?

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):
  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files(all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".
  • C:/WINNT/sys.reg
Reboot again and log in normally, repost a new HijackThis log into this message for further review.

#5 smitty-g

smitty-g

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 June 2004 - 09:26 AM

CWS run. Some items cleaned.

All temp files, cookies and IE temp files deleted for all users. Recycle bin emptied.

The "i-search*" entries were already gone and "C:/WINNT/sys.reg" was NOT present.

Rebooted and results from HJT are:

Logfile of HijackThis v1.97.7
Scan saved at 7:20:07 AM, on 6/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\PROGRA~1\Navnt\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8103.5916087963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCE8A178-594B-4422-9798-EE5C2EC1ED74}: Domain = state.nv.us.
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCE8A178-594B-4422-9798-EE5C2EC1ED74}: NameServer = 10.131.11.24,10.131.11.25
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = state.nv.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = state.nv.us
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = state.nv.us

I have advised my co-worker NOT to use her IE until I hear back from you.

#6 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 June 2004 - 09:44 AM

I do not see any further signs of infection which is definitely a good thing :)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#7 smitty-g

smitty-g

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 June 2004 - 10:31 AM

Well, I had her access the 'net and YES!! Apparently, the garbage has been eliminated. :D :D :D

Is this an 'old' problem or is there a specific sequence to run all the different malware removers? I ask because I had run AdAware, Spybot S&D and CWS prior, but it kept coming back.

You'll be hearing form me again as it seems my PC at home has also become infected (but different symptoms). :alarm: :grrr: :blush: :techsupport:

Thanks much for the help. Must be donation time!!

#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 June 2004 - 10:55 AM

No specific order to run them. Each program will catch a large portion of the spyware apps out there, but not all. This is one reason why I recommend multiple solutions - With all of them, things are almost completely eliminated.

#9 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 03 June 2004 - 02:09 PM

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button